From 59458a3ba1bf06fb6a0fa2c79d27a1d3e6c88a10 Mon Sep 17 00:00:00 2001
From: Romain Paquet <rpqt@rpqt.fr>
Date: Tue, 27 Jan 2026 14:36:11 +0100
Subject: [PATCH] haze: use lanzaboote

---
 machines/haze/configuration.nix |  1 +
 modules/lanzaboote.nix          | 23 +++++++++++++++++++++++
 2 files changed, 24 insertions(+)
 create mode 100644 modules/lanzaboote.nix

diff --git a/machines/haze/configuration.nix b/machines/haze/configuration.nix
index c0e7a59..8f8e7f0 100644
--- a/machines/haze/configuration.nix
+++ b/machines/haze/configuration.nix
@@ -18,6 +18,7 @@
 
     self.nixosModules.desktop
     self.nixosModules.dev
+    self.nixosModules.lanzaboote
     self.nixosModules.nix-defaults
 
     self.inputs.home-manager.nixosModules.home-manager
diff --git a/modules/lanzaboote.nix b/modules/lanzaboote.nix
new file mode 100644
index 0000000..147d8db
--- /dev/null
+++ b/modules/lanzaboote.nix
@@ -0,0 +1,23 @@
+{
+  self,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  imports = [
+    self.inputs.lanzaboote.nixosModules.lanzaboote
+  ];
+
+  environment.systemPackages = [
+    # For debugging and troubleshooting Secure Boot.
+    pkgs.sbctl
+  ];
+
+  boot.loader.systemd-boot.enable = lib.mkForce false;
+
+  boot.lanzaboote = {
+    enable = true;
+    pkiBundle = "/var/lib/sbctl";
+  };
+}